What you will get from this guide

1. Introduction

Microsoft Windows is the world's most used consumer operating system. If you are using Windows there is a chance you did not even choose it, but it was simply the system that was already installed when you bought your computer.

Windows is considered a standard in many office environments, as is some other Microsoft software such as Microsoft Office. Some common and specialised software is only available for Windows.

The popularity of Windows also makes it a target for malware. The majority of new malware targets vulnerabilities and insecure user practices on the Windows operating system.

Windows is a closed-source operating system. This means that the source code of the system cannot be reviewed or verified by users or the security community. The security guarantees made by Microsoft can only be taken at face value as they cannot be independently audited.

This guide provides some tips on how to secure your Windows operating system and it has been written on Windows 10. Most instructions also apply to Windows 7 or 8.1, however the exact appearance or titles may be slightly different. Where significant differences for earlier versions exist we have provided version-specific sections.

1.0. Alternatives to Windows

Many people may not even know that there are alternatives to Windows. There are two major alternative operating system choices. Mac is a line of computers manufactured exclusively by Apple and running their own operating system called Mac OS X. Then there is the UNIX-like family of operating systems, of which GNU/Linux is the most well-known. These are free and open source operating systems which can be distributed freely and with source code which can be independently audited or modified by anyone. There are many 'flavours' of GNU/Linux, some popular ones include Ubuntu, Debian, Fedora, and Mint. GNU/Linux can run on most computers which operate Microsoft Windows.

2. Privacy-enhancing settings

Windows communicates information from your computer back to Microsoft and other servers which can violate the privacy of the user. To limit (though not eliminate) these communications, there are some configuration options you can select. The process will be different if you are installing a new copy of Windows on a computer or if you are working on a computer with Windows already installed.

2.1. How to select privacy-protecting options when installing Windows

Step 1. While installing Windows you will be asked to accept Express Settings which contain the most invasive Microsoft-selected settings to send personal data to the company and its advertising partners.

Note: You may make your own decisions on each of the below options based on your own comfort level trading privacy and functionality. Below are our suggestions for the best privacy and security.

Step 2. On the first Customise Settings screen, click on all options, they will turn to

Figure 2: Windows installation Customise Settings page 1

Step 3.Click to move to the next Customise Settings screen.

Step 4. On the second Customise Settings screen leave Use SmartScreen online service to help protect against malicious content and downloads in sites loaded by Windows browsers and Store apps activated as it will enhance security. For the remaining options click to change them to .

Figure 3: Windows installation Customise Settings page 2

Step 5.Click and continue with Windows installation.

2.1.1. How to select privacy-protecting options if Windows is already installed

If you already have Windows installed, you can select privacy-protecting options through the following steps:

Step 1.Select[Settings] through the main Windows menu bar, as illustrated below:

Figure 1: Selecting Windows Settings

Step 2.Click[Privacy] through your Settings screen.

Figure 2: Selecting Windows Privacy Settings

Through the following tabs, you can configure your settings to enhance your privacy.

General tab

Step 1. To limit the amount of data collected by third parties, click on all the buttons to turn them off.

Figure 3: General privacy options

Step 2. To limit personal ads on your browser, click the [Manage my Microsoft advertising and other personalization info] link under the privacy options. This will direct you to Microsoft's personalized ads webpage.

Figure 4: Microsoft personalized ads webpage

Step 3.Click the button under Personalized ads in this browser to turn it off.

Step 4. Similarly, click the button under Personalized ads wherever I use my Microsoft account to turn it off.

Step 1.Click the button under Location to turn it off. This prevents third parties from collecting location data.

Figure 6: Location settings

Step 2.Scroll down to the Location history section of the Location settings. Click the [Clear] button to clear your device history.

Figure 7: Clear history settings

Step 3.Scroll further down to configure the location access that apps can have through your device. To limit the access of these apps to your location data, click on their respective buttons to turn them off.

Figure 8: Limiting app access to location data

Camera tab

Step 1.Click the button under Let apps use my camera to turn it off.

Figure 9: Camera privacy options

Step 2. To restrict apps from accessing your camera, click on their respective buttons to turn them off.

Microphone tab

Step 1.Click the button under Let apps use my microphone to turn it off.

Figure 10: Microphone privacy options

Step 2. To restrict apps from accessing your microphone, click on their respective buttons to turn them off.

Speech, inking, & typing tab

Step 1. To limit Microsoft from collecting information like your contacts, typing history, calendar events, speech and handwriting patterns, do not click on [Get to know me] button and ensure that any eventual dials on this screen are turned off.

Figure 11: Speect, inking, & typing tab

Account info tab

Step 1.Click the button under Let apps access my name, picture and other account info to turn it off and to limit apps from accessing your account information.

Figure 12: Account info tab

Contacts tab

Step 1. To restrict apps from accessing your contacts, click on their respective buttons to turn them off.

Figure 13: Contacts tab

Calendar tab

Step 1.Click the button under Let apps use my calendar to turn it off.

Figure 14: Calendar privacy options

Step 2. To restrict apps from accessing your calendar, click on their respective buttons to turn them off.

Call History tab

Step 1.Click the button under Let apps use my call history to turn it off.

Figure 15: Call history privacy options

Step 2. To restrict apps from accessing your call history, click on their respective buttons to turn them off.

Email tab

Step 1.Click the button under Let apps access and send email to turn it off.

Figure 16: Email privacy options

Step 2. To restrict apps from accessing and sending email, click on their respective buttons to turn them off.

Messaging tab

Step 1. Choose apps that can read or send messages by clicking on their respective buttons (to turn them on or off).

Figure 17: Messaging options

Radios tab

Step 1.Click the button under Let apps control radios to turn it off.

Figure 18: Radios options

Other devices tab

Step 1. To prevent your apps from automatically sharing and syncing information with other wireless devices, click the button to turn it off.

Figure 19: Syncing with other devices

Feedback & diagnostics tab

Here you can choose how and whether you would like to send device feedback back to Microsoft Windows for diagnostics. We recommend choosing that you should Never be asked for feedback and sending Basic diagnostic information:

Figure 20: Feedback & diagnostics options

Background apps

Here you can choose which apps you want to run in the background (receiving information, sending notifications, and staying up-to-date). To disable apps from running in the background, click on their respective buttons to turn them off. We recommend switching all (or as many as you can) of the apps off. You can start by switching all of them off and then attend to those which need to be switched on.

Figure 21: Background apps options

2.2. User Account Password

Password-protecting your and all other user accounts and using unique user accounts for each person accessing the computer are basic security requirements.

2.2.1. How to check if your Windows account is password protected

Step 1.Press + L. which is the shortcut to lock your screen. If you have a password on your user account you will need to enter it here. If you do not have a password you will be able to access your desktop again without entering a password.

Note: The Windows key is a key located on most windows computers between the Ctrl and Alt keys, it should either have a or icon on it.

Figure 1: Windows lock screen with password-protected user account

2.2.2. How to password-protect a Windows user account

Step 1.Click to open the Windows Start menu then click to open the settings panel.

Step 2.Click[Accounts] then select [Sign-in options] from the left-hand menu.

Figure 1: Account sign-in page when there is no user password set

Step 3.Click[ADD] to add a new password.

Step 4. Enter your new password under New password and Reenter password. Be mindful that you do not reveal too much about your password in the Password hint field. For guidance on how to create strong passwords see our tactics guide How to create and maintain secure passwords

Figure 2: Windows account password creation screen

Step 5.Click[Next] to apply your new password. Revisit this process if you wish to change your password.

2.2.3. How to add new Windows user accounts or a guest account

To add new Windows user accounts or a guest account, follow the steps below:

Step 1.Select[Accounts] through your Settings menu.

Figure 1: Selecting Accounts through the Windows Settings menu

Step 2.Select the [Family & other users] tab on the left side of the Account Settings window.

Figure 2: Family & other users tab of the Account Settings window

Step 3.Click the plus sign next to [Add someone else to this PC] under Other users.

Step 4. Through the following window, click on the [I don't have this person's sign-in information] link.

Figure 3: Adding a new user account without sign-in information

Step 5.Click the [Add a user without a Microsoft account] link through the following window.

Figure 4: Adding a user without a Microsoft account

Step 6.Type the user name for the new account under the Who's going to use this PC? section.

Figure 5: Adding account information for the new user

Step 7.Type the password for the new account under the Make it secure section.

Step 8.Re-type the password for the new account under the section under it.

Step 9.Type something in the last section which will help you remember the password, if you ever forget or lose it.

Step 10.Click[Next] to proceed.

If you return to the Family & other users section of your Account Settings, you will see the new user account that you have just created.

Figure 6: New user account created

2.3. Screen Lock

To prevent third parties from physically accessing your computer, you should be able to lock access to your machine when you are not working on it and the screen should automatically lock itself after a period of inactivity. The sections below explain how you can do so.

2.3.1. How to set a time-out screen lock when your computer is inactive

If you step away from your computer and forget to lock your screen, your computer should automatically lock itself after several minutes of inactivity.

Step 4. Change the time under Install new updates: Every day at 3:00 AM to a daytime hour such as 5:00 PM.

Step 5. Check the check boxes next to Give me recommended updates the same way I receive important updates, Allow all users to install updates on this computer, and Give me updates for Microsoft products and check for new optional Microsoft software when I update Windows. These settings will improve the frequency and ease of updates and also update Microsoft Office suite products which are also frequent targets for software exploitations.

Figure 2: Windows 7 Update screen

Step 6.Click[OK] to save your update settings.

3.2. Windows Firewall

Ensuring that your system's firewall is turned on at all times is essential, as it is designed to protect your operating system from unauthorised access to your computer through the Internet based on a set of predetermined security rules.

To turn on your Windows firewall or to check that it is on, follow the steps below:

3.3. Removing Bloatware

Many PC manufacturers include additional software with Windows when you purchase a new computer. These manufacturers are paid by the software vendors to include this software and the bundled software may not benefit and may even harm the interest of the consumer. One high profile case was the Superfish adware pre-installed on Lenovo computers which actively broke internet security processes in order to serve advertisements to users.

Such software is known as bloatware: software which bloats your computer. Best practice is to install a fresh copy of Windows on a new computer using a disk provided by Microsoft, however this may often be impractical or expensive. The next best option is to uninstall the extra software that comes with your computer.

Step 1.Click the Start button and search for Add or Remove Programs.

Step 2. Review your installed programs. If you have a new computer this will be simpler than if you have been using it for long with many additional software installed. Look for programs you do not recognise and especially for programs not made by Microsoft. If you do not recognise a program try to research it online to understand its function and reputation. Also beware of software without a publisher name, meaning the software is not signed by a recognised software company.

Step 3. If you identify programs you would like to remove, click on it then click Uninstall and follow the program-specific uninstallation instructions.

4. Avoiding malware on Windows

4.1. Windows SmartScreen

The Microsoft Windows operating system includes SmartScreen, which is designed to protect users from malware and phishing attacks by scanning URLs accessed by the user against a blacklist of websites containing known threats.

To configure SmartScreen, follow the steps below:

Step 1. TypeControl Panel in your system search panel on the bottom of the screen, click on it to open Control Panel.

Step 2. Click[System and Security] and then [Security and Maintenance] to open window below. In this window click the [Change Windows SmartScreen settings] link on the left side of the window.

Figure 1: Security and Maintenance window

Step 2.Select the [Get administrator approval before running an unrecognised app from the Internet (recommended)] option to use SmartScreen protection against malicious URLs. Or select [Warn before running an unrecognised app] if your system does not offer previous option.

Figure 3: Enabling Windows SmartScreen

4.2. Windows Defender

Windows Defender is software designed to detect and remove malware and it is built in Windows operating systems.

To scan your computer for malware with Windows Defender, follow the steps below:

Step 5.Click[Update] to ensure that your virus and spyware definitions are automatically updated to help protect your PC.

Figure 4: Virus and spyware definitions

4.3. How to make file extensions visible to avoid being tricked by malware

File extensions are a part of the names of files which tell the operating system which type of file it is and what process or application to use to open it. For instance for the file While My Guitar Gently Weeps.mp3 the .mp3 portion of the name tells the computer that it is an MP3 music file and can be opened by your default music player. By default Windows will hide these extensions, and some malware exploits this setting by attempting to makes its files appear to be a different type than it actually is. To mitigate this threat, you can change Windows settings to view file extensions, and optionally to view hidden files and operating system files where viruses also sometimes hide.

4.4. How to view file extensions

Step 1. Open the File Explorer .

Step 2.Click the View menu tab and then click Options

Figure 1: Windows 10 File Explorer View tab

Step 3.Click the View tab.

Figure 2: Windows 10 Folder Options View tab

Step 4.Uncheck the box next to [Hide extensions for known file types].

Step 5.Click[OK].

Note: Notice now that file extensions will be visible on all files. Beware of files which are presented to you as being media or office documents but which have extensions for an unrelated file type such as .EXE, .MSI, or .BAT. A description of potentially dangerous file types can be found here.

4.5. How to view hidden and operating system files

Some malware hides itself as well as your documents as hidden files then creates shortcuts with names identical to your original documents which, when opened, redirect to the virus file and infects your computer. This is a particularly common attack on removable flash drives. To improve your ability to recognise infected file, you may change Windows settings to view hidden and operating system files.

Step 1.Open the File Explorer .

Step 2.Click the View menu tab and then click Options

Figure 1: Windows 10 File Explorer View tab

Step 3.Click the View tab.

Figure 2: Windows 10 Folder Options View tab

Step 4.Select the option [Show hidden files, folders, and drives] and uncheck the box next to [Hide protected operating system files (Recommended)]. You will see a warning window:

Figure 3: View protected operating system files warning

Step 5.Click[YES]. Windows operating system files will now be visible and should not be tampered with. However if you see unusual hidden files in your personal documents and removable drives you may be viewing malware.

Step 6.Click[OK].

Note: Standard operating system and temporary files known as will now be visible to you, such as or . You may ignore these safely.

4.6. How to disable AutoPlay to protect against malware

By default Windows enables AutoPlay a feature where plugged in removable media (like USB drives or devices) are examined and, based on their content, such as pictures, music or video files, an appropriate application to play or display the content is launched.

Step 1.Click the Start button and search for AutoPlay.

Figure 1: Windows AutoPlay options screen

Step 2.Turn offUse AutoPlay for all media and devices.

5. Windows full-disk encryption with BitLocker

Having a password to login to your Windows computer account is good first step but not enough to protect the files stored on this account. An attacker with physical access to the computer can read user files unless they are encrypted. BitLocker is built-in full disk encryption software offered by Microsoft in Windows 7 Enterprise, Windows 8 Pro, and most versions of Windows 10 (excluding Home version). Bitlocket can encrypt entire system disk of the computer, additional hard disks or partitions, and removable storage media.

Important: Steps below will help you encrypt your files. Without the correct password there will be no way to recover those files. Make a secure backup of your files before encrypting the files. Follow the below steps mindfully. Maintain a copy of your recovery key in a safe location (see below).

5.1. How to encrypt the hard drive containing your operating system

Step 1. Open This PC in the File Explorer, right-click your Local Disk (C:) and click Turn BitLocker on.

Figure 1: Right-click menu on system drive on Windows computer with BitLocker

Note: If you cannot find Turn BitLocker on in the menu above maybe you using a version of Windows which does not offer BitLocker. Consider upgrading your copy of Windows. Or see section 5.2. Alternatives to BitLocker below.

Note: in this example we assume that your Windows operating system is installed on drive C:

Important: If you see an error message This device can't use a Trusted Platform Module go to section In case of error "This device can't use a Trusted Platform Module" below.

Step 2. You can choose how will you unlock your disk when starting the computer. You can use the password. Or you can unlock the disk with USB that you will prepare. In this guide we will use a password. Click Enter a password.

Figure 2: BitLocker unlock method screen

Note: If you have a TPM chip in your computer you may have more options available to choose from in this step. Each offers different protection opportunities. For example when you use a USB flash drive option you can limit access to your information to people who have 2-factors of the authentication: they have this specific USB (or it's copy) and know the password to login to your account.

Step 3. Enter a strong password for BitLocker encryption.

Figure 3: BitLocker Create a password to unlock this drive

Note: If you use multiple languages on your computer and encounter password errors in following steps try using English language input method.

Step 4. In this step you can back up an encryption recovery key, which can be used to open your files (decrypt them) without knowing your password. It is important to store a copy of your recovery key in a secure place. You may wish to use more than one of the methods available to you. Note that saving your recovery key to your Microsoft account may compromise the security of the key, however it offers advantages in case of losing backup key files. In this example we will assume that you can save the file to a separate USB drive and hide protect this drive.

Insert a USB flash drive in your computer and click Save to a USB flash drive.

Step 10. If you enter correct password your computer will start as before. Login to your account. Double-click small BitLocker icon in the system tray to check the status of your drive encryption:

Figure 9: BitLocker drive encryption progress

Step 11. Allow time for the encryption process to complete.

Congratulations, you have encrypted your whole system drive!

In case of error "This device can't use a Trusted Platform Module"

If you encountered an error message saying This device can't use a Trusted Platform Module as shown in figure below it means that your computer does not have a Trusted Platform Module (TPM) chip that is used for encryption. However with a some configuration adjustments described below, BitLocker can still be used on computers without a TPM chip.

Figure 10: Manager BitLocker Window with TPM Error

Step 1. Press Start . Typegpedit.msc and press Enter. In the new window opened double-click:

Step 2. Then in the right-hand panel of this window, double-clickRequire additional authentication at startup to open new window. Note that there is also an option called Require additional authentication at startup (Windows Server 2008 and Windows Vista), ensure that you editing right option.

Step 3.SelectEnabled. Ensure that Allow BitLocker without a compatible TPM (Requires a password or a startup key on a USB flash drive) is enabled. Click [OK]

Figure 13: BitLocker policy editor

Step 4. Close the Local Group Policy Editor window and return to step 1 on beginning of this section "5.1. How to encrypt the hard drive containing your operating system"

5.2. Alternatives to Bitlocker

Since BitLocker is a closed source program its security cannot be independently verified. Additionally in some versions of Windows 10 Microsoft forces users to backup encryption recovery keys to a Microsoft online account which may compromise security of this key.

Open source full disk encryption alternatives exist for Windows: VeraCrypt and DiskCryptor both offer full system disk encryption.

There are programs which can encrypt specific files or folders on your computer, such as VeraCrypt, AxCrypt and GPG4Win.